Apache verification with PGP and MD5

Sinking into a Software Spiral

All I wanted was Apache but i'm in a nightmare software run around.

As soon as I downloaded apache ( Win32 Binary including OpenSSL 0.9.8i (MSI Installer): apache_2.2.11-win32-x86-openssl-0.9.8i.msi [PGP] [MD5] ) from the apache site my computer alerts me that it could be dangerous as it dosn't have a signature. The apache site also warms me that I must verify its signature by downloading "PGP signatures and MD5 hashes" avoiding mirrors (what ever they are.) and "download the KEYS as well as the asc signature file then verify the signatures usin this code % pgpk -a KEYS % pgpv apache_1.3.24.tar.gz.asc" in some unknown software.
So I look into signatures and downloading PGP and am told the only way to check I have a safe PGP progam is to download it from different sites and make the sure the source code matches. So I google it and download it for XP from two sites and look at the file expecting a text file where i can compare the code but no such luck . The the gnupg-w32cli-1.2.2.zip contains no readable files and the PGP Desktop9.10.0_Source.zip readmewin32.pdf says i need, Microsoft Visual Studio .NET, Microsoft Windows 2000 DDK Microsoft Windows 2003 IFS DDK Lotus C API Toolkit, Microsoft Platform SDK. I just wanted to download some Apache because XP home doesn't come with a server but i've already racheted up 8 additional required software and am no closer to being able to check it my apache version is safe.The Apache site claims the alternative method is to check the MD5 hash by downloading more unsafe unfathomable software MD5sums http://ftp.gnu.org/gnu/coreutils/ FSUM 2.52. Instead I use the link to a report page http://people.apache.org/~henkp/cgi-bin/md5.cgi instead but it doesn't say my apache file is ok. It just tells me the signature and md file are consistent which they should be since i got them together with the apachedownload. It also and generates a key ID and tells me it "Can't find key CB9B9EC5 in the strong set " or "the history of key 0xCB9B9EC5 : msd and rank". In order to check the authencity of the key i have to go back to PGP. So is the apache file with the dist/httpd/binaries/win32/apache_2.2.11-win32-x86-openssl-0.9.8i.msi.asc signature safe or not and how do i find out in the simplest possible way?

Can't wait to download Mysql and PHP

natalie_j wrote:Sinking into a Software Spiral

All I wanted was Apache but i'm in a nightmare software run around.

As soon as I downloaded apache ( Win32 Binary including OpenSSL 0.9.8i (MSI Installer): apache_2.2.11-win32-x86-openssl-0.9.8i.msi [PGP] [MD5] ) from the apache site my computer alerts me that it could be dangerous as it dosn't have a signature.

Can't wait to download Mysql and PHP

Well MySQL & PHP won't stop you getting signature errors from the Apache installer from the Apache website, and neither can we offer any solutions for issues with that 3rd party installer.

I would suggest you download PostgreSQL from http://www.enterprisedb.com/products/pgdownload.do#windows. At the end of the installation, it will run StackBuilder, in which you can opt to download and install the ApachePHP bundle. A few self-explanatory clicks later and you'll be running PostgreSQL along with Apache and PHP, with all the MD5 verification done behind the scenes so you don't have to worry about it.

Regards, Dave.